As we look at multiple security disciplines and how we protect, Identity is the base
AuthenticationAuthenticate users and devicesPervasively apply across networkAuthorization (and Accounting)Dynamically differentiate and control network accessAccess is based on who, what, when, where, howCentralized accounting of user and device accessCompliance (PCI, company)Accessing the environment is tied into:What’s the role of the individual / machine: this can be based on the group the user is in (such as in Active Directory a notion that Fred is in marketing)What type of device is being used: personal PC, corporate laptop, some other peripheralOther conditions apply to determine the level of access – when, is it healthy, where is it coming fromAt the end of the day, authorization is granted to allow the user/device a certain level of network access, for example:Broad access for compliant employeesLimited access for contractors, only to specific resourcesGuest/internet only access for visitorsQuarantine for non-compliant devicesAnd deny access for undesirablesThis is coarse-grained access, controlling where the user/device is able to “send a packet” = IP reachability. It is not the same as IAM, or authenticating to a server. Rather the ability to even send a packet to the server
Guest access is a second major use-caes pillar of an access policyAll companies have guests to allow to, in the minimum, connect to the internet to work while on premGuest access is a lifecycle solution, more than just dealing with a captive portal web page to click thru (like the hotel)NAC guest server is the basis for Cisco’s solution
The third important use-case for an access policy is dealing with non-user devicesThese are endpoints that cannot authenticateWorkgroup resources like printers, faxesSecurity equipment like IP cameras, badge readers, alarmsFacilities equipment like temperature systems and coolants/heatersLine of business machines like medical equipment, cash registers, robots, etcThere are more of these than user machines and they are breeding faster than us, and there is rarely anyone who has total knowledge of what and where they are (federated ownership model)There must be part of the solution, and are often overlooked when considering this spaceThere are 3 levels customers often want to address:Awareness of what devices are on the network (just collect the MAC addresses centrally)Classifying the devices so you can differentiate access (an HP printer versus an alarm system)Preventing spoofing – making sure the printer isn’t John’s PC with a spoofed MACNAC profiler is Cisco’s solution to addressing themDiscover and Identify Endpoints Leverage switch & router device tablesAutomated device traffic profilingAnalyze endpoint traffic: ARP, DHCP, DNS, RADIUS, CDP, SNMP, MAC Address, Web & SNMP BannersDifferentiated AccessDynamic access policy applied based on endpoint device typeSpoof MitigationDetect classification inconsistencies NetFlow for behavior monitoring
The information system typically uses either shared known information (e.g., Media Access Control (MAC) or Transmission Control Protocol/Internet Protocol (TCP/IP) addresses) or an organizational authentication solution (e.g., IEEE 802.1x and Extensible Authentication Protocol (EAP) or a Radius server with EAP-Transport Layer Security (TLS) authentication) to identify and authenticate devices on local and/or wide area networks. The required strength of the device authentication mechanism is determined by the FIPS 199 security categorization of the information system with higher impact levels requiring stronger authentication.
Transcript:Lets take a look at those at a high level if the slides come up. I'm going to go ahead and pop all three of them up here. In the Monitor Mode, since we had the ports completely wide open but we're still trying to allow .1X and MAB, you can actually start to gain visibility through the use of the AAA logs in AFBS. It's great for a pre-deployment tool and it streamlines getting your network up and ready before you actually turn on Access Control. In addition it gives you the ability to have what we call Monitor Mode where you can enable .1X or MAB. You can start defining your policies in ACS and just not actually applying any policy and you can see which ones are getting hit the most. Or if you create a policy and after two weeks it's never been hit, then you probably did a bad job writing your policy. But in these it's basically we're saying crawl, walk, run. So start out in Monitor Mode, migrate to Low Impact Mode and then if you need, then you can go to the High Security Mode.Author’s Original Notes:Monitor ModeStreamlined 802.1X Client RolloutsPolicy Modeling with no impact on accessVisibility into who & what is connecting to your networkLow Impact ModeAdministratively defined incremental access restrictionsAllow base level connectivity services (DHCP, PXE, etc.) prior to authenticationPerform differentiated access post authenticationHigh Security ModePrevent any access prior to successful authentication and authorizationTraditional closed-modeApplicable in high security organizations: Government, Financial Institutions, Military, etc.
Tvr identity gtri
Cybersecurity:Identity and Access Control
Federal Identity and Access What is Cisco’s Role?
Disciplines of Security: Identity Is the Base Information Access Control Audit Sharing Encryption Forensics Threat Mitigation Threat Migration Data Leakage Availability Policy/ Non-Repudiation Inventory Governance
Customer Challenge in Building an Access Policy in a Borderless Network Common questions organizations ask Authorized Guest Non-User Access How can I restrict Access Devices access to my network? Can I allow guests How do I discover Internet-only access? non-user devices? Can I manage the risk of using personal PCs? How do I manage guest Can I determine what access they are? Common access rights when on-prem, at Can this work in Can I control their home, on the road? wireless and wired? access? Endpoints are healthy? How do I monitor guest Are they being spoofed? activities?
Five Aspects of IdentityWho are you? What is on your Network?Are you compliant?Where can you go?What service level do you receive?What are you doing?
Federal Government Requirements DISA STIG on access control in Support of Information Systems (Dec 2008) (AC34.025: CAT 1) The IAO/NSO will ensure either MAC security with profiling) or 802.1X port authentication is used on all network access ports and configured in accordance with the Network Infrastructure STIG. Recommended Security Controls for Federal Information Systems (NIST 800-53) “The information system typically uses either shared known information … or an organizational authentication solution (e.g., IEEE 802.1x and Extensible Authentication Protocol (EAP) or a Radius server with EAP-Transport Layer Security (TLS) authentication)”
Why 802.1X? Industry- Most secure Complements Provides standard user/machine other switch Easier to foundation forapproach to authentication security deploy additional services identity solution features (e.g., posture) 15
How Does 802.1X Work? Authenticator Switch, router, WAP Identity Store/Management Active directory, LDAP Layer 3 Layer 2Request for Service Back-End Authentication Identity Store (Connectivity) Support Integration Authentication Server RADIUS server Supplicant
Cisco Identity Differentiators Cisco-only Features Open Mode – Wake-on-LAN support, PXE boot, Ease of Deployment Flexible Authentication (Flex-Auth) – Legacy Device Support Multi-Domain Authentication (MDA) – Securely daisy-chain systems behind VoIP phones ACS 5 Scalability - Top-Down Visibility & Centralized Reporting for Authentication and Authorization TrustSec – Security Group Tags Other Enhancements 802.1AE – Hop-by-hop encryption included in TrustSec More Robust Supplicant than built-in Windows supplicant Identity-Aware Product Roadmaps – more to come! HBSS support and provides a layered-approach to endpoint security
Identity Deployment Phases Monitor Mode Low Impact Mode High Security ModePrimary Features Primary Features Primary Features Open mode Open mode Traditional Closed Mode Multi-Auth Multi-Domain Dynamic VLANs Flex Auth (Optional) Port & dACLsBenefits Benefits Benefits Unobstructed Access Maintain Basic Connectivity Strict Access Control No Impact on Productivity Increased Access Security Gain Visibility AAA Logs Differentiated Access
Building on the Foundation of Identity Role-Based Data Integrity and Network Virtualization Access Control ConfidentialityTrustSec Network topology- Hop-to-hop data protection Path Isolation independent Preserves network L4–L7 Central Policy Enforcement Scalability via tagging service value Profiling Services Guest Services Posture Services NetworkAdmission Control Device profiling Guest and sponsor portals Managed device posture Behavioral monitoring Role-based AUP Unmanaged device scanning Device reporting Provisioning and reporting Remediation Identity InfrastructureIdentity-Enabled User and device authenticationNetworks Control network access (L2 and L3) Device mobility in the network